pyyaml is vulnerable to arbitrary code execution. The vulnerability exists as .yaml
files are parsed by FullLoader
uses the unsafe yaml.load()
by default.
CPE | Name | Operator | Version |
---|---|---|---|
pyyaml | le | 5.3 | |
py3-yaml:3.11 | eq | 5.2-r0 | |
py3-yaml:edge | eq | 5.3-r0 | |
pyyaml | le | 5.3 | |
py3-yaml:3.11 | eq | 5.2-r0 | |
py3-yaml:edge | eq | 5.3-r0 |
lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html
lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html
bugzilla.redhat.com/show_bug.cgi?id=1807367
bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747
github.com/yaml/pyyaml/commit/0e40611117cf048c4c078b8ff02a8dbfb10aa381
github.com/yaml/pyyaml/pull/386
lists.fedoraproject.org/archives/list/[email protected]/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX/
lists.fedoraproject.org/archives/list/[email protected]/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/
lists.fedoraproject.org/archives/list/[email protected]/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
lists.fedoraproject.org/archives/list/[email protected]/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/
lists.fedoraproject.org/archives/list/[email protected]/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/
www.oracle.com/security-alerts/cpujul2022.html